horizon: Trailing spaces removed on passwords

Akihiro Motoki amotoki at gmail.com
Wed Jan 29 00:45:28 UTC 2020


I have two comments.

The first one is whether we should strip leading/trailing spaces in
password forms.
As Albert commented, someone thinks they should be stripped.
On the other hand, Django AuthenticationForm does not strip an input
password [0].
I am not sure which is better. IIRC, horizon login form strips
leading/trailing spaces
in an input password since long ago but I see no discussion on this.

The second one is about the original question.
Django CharField strips leading/trailing spaces in an input string by
default. strip=True is the default [1].
The horizon login form just uses CharField [2], so leading/trailing
spaces in an input password are stripped.
To avoid this, you need to add strip=False to CharField [2].
It is not a good idea to change the default value of CharField in Django.
Other usages of CharField may assume the default behavior.
If you would like horizon to change the current behavior, there are
several password related fields and
we need to change all of them consistently, so it is worth filing a bug.

[0] https://github.com/django/django/blob/master/django/contrib/auth/forms.py#L180
[1] https://docs.djangoproject.com/en/3.0/ref/forms/fields/#charfield
[2] https://opendev.org/openstack/horizon/src/branch/master/openstack_auth/forms.py#L73-L74

Thanks,
Akihiro

On Wed, Jan 29, 2020 at 6:27 AM Orestes Leal Rodríguez
<olealrd1981 at gmail.com> wrote:
>
> I have found a way to solve it and give access to users that have
> passwords with spaces at the beginning/end. The issue (not an issue
> per se, but it affects horizon [stein]) lies in django. Specifically
> on 'django/forms/fields.py'
>
> Horizon uses the fields and those by default remove spaces as stated,
> what I did is the following:
>
> On that file, the class CharField's constructor was removing
> leading/trailing spaces:
> Below is the diff between the original and the modified python script
> (one line modified, strip=False)
>
> --- fields.py.orig      2020-01-28 15:16:22.696047918 -0500
> +++ fields.py   2020-01-28 15:16:45.520084974 -0500
> @@ -220,7 +220,7 @@
>
>
>  class CharField(Field):
> -    def __init__(self, max_length=None, min_length=None, strip=True,
> empty_value='', *args, **kwargs):
> +    def __init__(self, max_length=None, min_length=None, strip=False,
> empty_value='', *args, **kwargs):
>          self.max_length = max_length
>          self.min_length = min_length
>          self.strip = strip
>
> Now passwords are not altered by the underlying framework. Not sure
> the effect of not removing trailing/leading spaces from the textfields
> will have on the Horizon operations, though. Maybe horizon should
> redefine that django class to avoid this behavior. I'm also open to
> other solutions from the community. Have a great evening,
>
>
> Thanks.
> Orestes
>
> On 1/28/20, Orestes Leal Rodríguez <olealrd1981 at gmail.com> wrote:
> > From the dashboard openstack is removing the trailing spaces from our
> > user's passwords.
> > We have a modified sql.py backend, that does an ldap bind to an active
> > directory data store. And that works almost always. I say almost
> > because for some users it doesn't work at all. We figure out (and a
> > co-worker also confirmed this) that openstack is removing trailing
> > (also leading?) spaces from the password entered in the dashboard.
> > Also, inside the dashboard trailing spaces are not accepted even when
> > they are equal byte by byte (including the space, I get an error). So
> > this is going on.
> >
> > Do anybody knows where is this removal performed? (python script
> > location, line) So I can remove that since I have users (me included,
> > I have the issue since the very beginning of this deployment) that
> > cannot login. And they can use their Active Directrory passwords from
> > other apps without problem.
> >
> > We are running 'stein' with the latest update for ubuntu 18.04-AMD64.
> >
>



More information about the openstack-discuss mailing list